Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Cyberattack Bulletin: How Attackers Use Shodan & FOFA

Vectra AI Japan、ITR発行の最新レポート内「NDR市場」にて国内トップシェアを獲得
詳細を見る
Hamburger icon top line
Hamburger icon middle line
Hamburger icon bottom line
Back to all detections

Azure Suspicious VM Run Command Execution

Azure Suspicious VM Run Command Execution
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Triggers

  • The Microsoft Entra Identity executing the command does not typically perform Run Commands on Azure VMs.
  • The execution of the Run Command is occurring outside of regular business hours.
  • Multiple instances of suspicious Run Command executions are detected within a short timeframe.
  • Run Commands are being executed anomalously across multiple VMs.

Possible Root Causes

  • Unauthorized Access: An attacker has gained access to a Microsoft Entra Identity and is using it to execute Run Commands on VMs without permission.
  • Misconfigured Permissions: A Microsoft Entra Identity has excessive privileges, allowing them to execute Run Commands on VMs they should not have access to.
  • Malware or Exploitation Tool: An attacker is using malware or tools to abuse the VM�s operating system, escalate privileges, and execute Run Commands.
  • Legitimate Administrative Action: A valid Microsoft Entra Identity is running a script to configure a new VM for production use, requiring Run Commands with elevated privileges.
  • Automated Deployment: A legitimate application is utilizing Azure�s Run Command feature to automate updates and patches for a VM or fleet of VMs.

Business Impact

  • Data loss or corruption due to unauthorized deletions.
  • Security breaches resulting from the exploitation of vulnerabilities or abuse of privileges.
  • Compliance issues due to non-adherence to security policies.
  • Downtime and revenue loss caused by malicious activity.

Steps to Verify

  • Review the actions taken by the Microsoft Entra Identity after the identified activity to assess potential risks.
  • Investigate the Microsoft Entra Identity executing the Run Command for any signs of unauthorized access or excessive privileges.
  • Analyze the parameters used in the Run Command to identify potential security risks, such as the deletion of sensitive data.
  • Verify if the suspicious Run Commands are occurring within regular business hours or if there are multiple instances within a short timeframe.
  • Ensure that the VM�s configuration and permissions align with organizational security policies.
Azure Suspicious VM Run Command Execution

Possible root causes

Malicious Detection

Benign Detection

Azure Suspicious VM Run Command Execution

Example scenarios

Azure Suspicious VM Run Command Execution

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Azure Suspicious VM Run Command Execution

Steps to investigate

Azure Suspicious VM Run Command Execution

MITRE ATT&CK techniques covered

Cloud Administration Command

T1651

Command and Scripting Interpreter

T1059
Azure Suspicious VM Run Command Execution

Related detections

No items found.

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs